CVE-2026-43035 Overview
CVE-2026-43035 is a kernel information disclosure vulnerability in the Linux networking subsystem. The flaw resides in tc_chain_fill_node() within net/sched/cls_api.c, which constructs netlink messages for traffic control (TC) chain queries. The function fails to initialize the tcm_info field of struct tcmsg before transmission. Because the underlying buffer is allocated without zeroing, four bytes of uninitialized kernel heap memory leak to userspace each time the function runs. Local users with the ability to query TC chains can collect leaked bytes to defeat kernel address space layout randomization (KASLR) or recover sensitive data residing in freed heap slabs.
Critical Impact
Local attackers can read 4 bytes of uninitialized kernel heap memory per netlink response, aiding KASLR bypass and exploitation of further kernel vulnerabilities.
Affected Products
- Linux kernel — multiple stable branches prior to the fix commits
- Distributions packaging vulnerable kernels (Debian, Ubuntu, RHEL, SUSE, and derivatives)
- Container hosts and virtualization platforms relying on the affected kernel for TC/netlink functionality
Discovery Timeline
- 2026-05-01 - CVE-2026-43035 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43035
Vulnerability Analysis
The Linux kernel traffic control subsystem exposes classifier and chain metadata to userspace through netlink messages built around struct tcmsg. The function tc_chain_fill_node() populates this structure to describe a chain node in responses to RTM_GETCHAIN and related queries. The structure contains several fields, including tcm_family, tcm_ifindex, tcm_handle, tcm_parent, and tcm_info. The function explicitly assigns the first four fields but omits tcm_info, leaving it set to whatever data previously occupied the allocation.
Because the message buffer originates from a non-zeroed allocator path, the four uninitialized bytes are transmitted verbatim to the requesting process. An unprivileged local user able to issue netlink TC requests can read these bytes from each reply. Repeated queries yield a stream of leaked heap content that may include kernel pointers, residual structure fields, or sensitive cached data. The leak qualifies as an [CWE-908] use of uninitialized resource paired with [CWE-200] information exposure.
Root Cause
The defect is a missing field initialization in tc_chain_fill_node(). The fix commits, including 1091b3c1 and 4ae5d23f, set tcm_info = 0 alongside the other struct tcmsg assignments. No allocation policy change is required because the surrounding code already enumerates which fields must be populated before the message is committed to the netlink skb.
Attack Vector
The attack vector is local. An attacker requires the ability to open an AF_NETLINK socket of family NETLINK_ROUTE and to issue TC chain dump or get requests. No elevated privileges are needed in the default configuration of most distributions, and the request can be issued from inside an unprivileged user namespace where TC operations are exposed. Each response yields four bytes of leaked memory, which an attacker can aggregate over many calls to reconstruct kernel state.
No public exploit code or proof-of-concept is referenced in the advisory. The vulnerability description in prose is sufficient to reproduce: invoke RTM_GETCHAIN against an interface with classifier chains and inspect the tcm_info field of each response.
Detection Methods for CVE-2026-43035
Indicators of Compromise
- Unexpected userspace processes opening AF_NETLINK sockets with NETLINK_ROUTE and issuing high volumes of RTM_GETCHAIN or RTM_GETTFILTER messages.
- Anomalous use of tc utility or libnl-based programs by non-administrative users on production hosts.
- Kernel versions reported by uname -r matching pre-patch stable branches with no vendor backport applied.
Detection Strategies
- Audit running kernel build identifiers against vendor advisories that reference the patch hashes 1091b3c1, 4ae5d23f, 71a3eda7, 903c3405, 906997ea, d6db0848, e35f5195, and e6e3eb5e.
- Use eBPF or auditd rules to record socket() calls with AF_NETLINK followed by sendmsg() carrying TC message types, correlated to non-root UIDs.
- Review container and pod security policies for unrestricted CAP_NET_ADMIN or unprivileged user namespace creation that exposes TC netlink commands.
Monitoring Recommendations
- Enable kernel auditing for the socket and sendto syscalls filtered to netlink families and forward events to a centralized log platform.
- Track package versions for linux-image-*, kernel, and kernel-default across the fleet to ensure patched builds are deployed.
- Alert on processes that read large volumes of netlink responses without a corresponding administrative workflow.
How to Mitigate CVE-2026-43035
Immediate Actions Required
- Apply the upstream Linux kernel patches that initialize tcm_info in tc_chain_fill_node() and reboot affected hosts.
- Update to the distribution kernel package that incorporates the fix and validate the running version after reboot.
- Restrict unprivileged user namespace creation where TC netlink operations are not required for workloads.
Patch Information
The fix is published across multiple stable branches. Reference commits include Linux Kernel Patch 1091b3c, Linux Kernel Patch 4ae5d23f, Linux Kernel Patch 71a3eda7, Linux Kernel Patch 903c3405, Linux Kernel Patch 906997ea, Linux Kernel Patch d6db0848, Linux Kernel Patch e35f5195, and Linux Kernel Patch e6e3eb5e. Identify the branch matching the deployed kernel and apply the corresponding commit.
Workarounds
- Disable unprivileged_userns_clone (sysctl kernel.unprivileged_userns_clone=0) on systems that do not require unprivileged user namespaces, reducing exposure to TC netlink commands.
- Drop CAP_NET_ADMIN from container runtime defaults and from unprivileged service units that do not need to manage traffic control.
- Use seccomp profiles to deny socket() calls with AF_NETLINK for workloads that have no legitimate need to query routing or TC state.
# Disable unprivileged user namespaces (workaround until patched kernel is deployed)
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' > /etc/sysctl.d/90-cve-2026-43035.conf
# Verify the running kernel after applying the distribution update
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
